I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.
I've covered the hacker beat for Forbes since 2007, with frequent detours into digital miscellania like switches, servers, supercomputers, search, e-books, online censorship, robots, and China. My favorite stories are the ones where non-fiction resembles science fiction. My favorite sources usually have the word "research" in their titles.
Since I joined Forbes, this job has taken me from an autonomous car race in the California desert all the way to Beijing, where I wrote the first English-language cover story on the Chinese search billionaire Robin Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot savants and even CEOs are welcome to email me at agreenberg (at) forbes.com. My PGP public key can be found here.

Dr. Web's chief executive Boris Sharov, who says Apple never responded when the firm shared its findings on the Flashback botnet.

Updated with more details of Apple’s response below.

Until it was revealed last week that more than half a million Macs were infected with Flashback malware, Apple had little experience working with the community of security researchers who aim to dissect and shut down botnets. And according to the firm that discovered this new outbreak, it could use a lesson in teamwork.

Boris Sharov, chief executive of the Moscow-based security firm Dr. Web says he learned Monday from the Russian Web registrar Reggi.ru that Apple had requested the registrar shut down one of its domains, which Apple said was being used as a “command and control” server for the hundreds of thousands of PCs infected with Flashback. In fact, that domain was one of three that Dr. Web has been using as a spoofed command and control server–what researchers call a “sinkhole”–to monitor the collection of hijacked machines and try to understand their behavior, the technique which allowed the firm to first report the size of Apple’s botnet last week.

“They told the registrar this [domain] is involved in a malicious scheme. Which would be true if we weren’t the ones controlling it and not doing any harm to users,” says Sharov. “This seems to mean that Apple is not considering our work as a help. It’s just annoying them.”

Sharov believes that Apple’s attempt to shut down its monitoring server was an honest mistake. But it’s a symptom of the company’s typically tight-lipped attitude. In fact, Sharov says that since Dr. Web first contacted Apple to share its findings about the unprecedented Mac-based botnet, it hasn’t received a response. “We’ve given them all the data we have,” he says. “We’ve heard nothing from them until this.”

I’ve contacted Apple for comment, but haven’t yet heard back from the company either.

In Apple’s defense, it may not have recognized Dr. Web as a credible security firm when the company contacted Apple earlier this month–I hadn’t heard of the firm either until its discovery and analysis of the Flashback botnet. But the better-known security firm Kaspersky confirmed Dr. Web’s findings on Friday. A Kaspersky representative said it hadn’t contacted Apple with its findings and hadn’t had any direct communication with Apple, and Kaspersky researcher Kurt Baumgartner wrote in a statement that “from what we’ve seen, Apple is taking appropriate action by working with the larger internet security community to shut down the Flashfake [also known as Flashback] C2 domains. Apple works vigorously to protect its brand and wants to rectify this.” Kaspersky wouldn’t offer more details on how Apple is working with the security community.

Update: Apple now says it will release a Flashback removal tool and is “working with ISPs worldwide” to disable the botnet’s command and control servers.

Locating and shutting down command and control servers is typical practice for a company trying to behead and cripple a botnet targeting its computers. Sharov says that Dr. Web has worked with Microsoft several times in the past on those efforts. But Apple, which has never dealt with a botnet the size of the Flashback infection, has fewer ties to firms like Dr. Web, Sharov says. “For Microsoft, we have all the security response team’s addresses,” he says. “We don’t know the antivirus group inside Apple.”

Sharov, likeothers, criticizes Apple for its delay in issuing a patch for a security vulnerability in Java that the Flashback malware exploited to invisibly install itself on Macs when users visit infected web pages. The bug was patched by Oracle in February, but Apple didn’t fix the flaw until earlier this month. “Their response should have been much earlier when they should have updated their Java,” says Sharov. “Now calling registrars to shut down domains is not as important. The infection has already taken place. There are dozens of domains [controlling] the botnet. Shutting down one does nothing.”

(Read about how to check your computer for Flashback and remove it here.)

Dr. Web and Kaspersky both estimate that more than 600,000 Macs are infected with Flashback, which would represent more than 1% of all of Apple’s PCs. So far, the botnet is being used for click fraud rather than credit card theft. But its sheer size represents a shift in the cybercriminal underground, which has long ignored Macs to focus on Windows’ larger market share.

Apple’s less-than-diplomatic handling of Dr. Web’s work wouldn’t be the first time it’s raised the hackles of the security research community. When well-known Apple researcher Charlie Miller created a proof-of-concept app demonstrating a flaw in Apple’s security restrictions, the company responded by revoking his developer’s license.

Sharov says he can understand Apple’s brusque response to his researchers’ work. “These are not pleasant days for them,” he says. “They’re not thinking about us. The safety of Macintosh computers is going down very quickly, and they’re thinking what to do next. They’re thinking about how to manage a future where the Mac is no longer safe.”

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Comments

Sorry to disappoint, steve, but the problem is in Java. Buy a vowel, get a clue.

What’s the second most exploited platform after Windows? You guessed it steve, Android. Pot, kettle, black.

We can volley back and forth, and prove nothing. Or, we can keep an eye on this botnet, monitor its size, and see where it takes us. I’d also like to know what’s going on, on those compromised computers. What nefarious activities are taking place?

LOL its hilarious to see all these non mac users getting so hot and bothered about finally being able to shove something in apples face about there OS not being secure.

The virus affects JAVA which is not owned or managed by APPLE.

Mac OSX is still by far more secure than windows will ever be. SO FAR THERE HAS NOT EVEN BEEN A VIRUS FOR THE MAC SEEN IN THE WILD, PERIOD.

This current trojan has only infected 1% of all macs or about 600,000 computers. Im sorry to say but this is a FAR cry from what PC’s are infected with.

And what are you talking about with apple stealing designs from other companies? Are you talking out of your ass or what? Steve jobs is listed on over 300 patents for apples products. Bill gates has about 12…

EVERYTIME a trojan is found in a small majority of macs one or two companies try to sensationalize the situation and use the same type of rhetoric about how ‘apple is becoming more vulnerable’ or how apple is ‘scared that there computer will be target’.

Sorry these are just scare tactics from people trying to squeeze money out of scarred users. Any system can be compromised. There are no exceptions. Apple OSX (Unix) environment is by DEFAULT more secure than the windows OS. Remember Unix has been around since the late 60′s. Thats over 40+ years.

You are incorrect that the Java version is not managed by Apple. Apple has their own internally managed Java distrobution that comes with their computers, this is a different distribution that Oracle’s version. One major issue is that the main Java distribution was updated to fix the vulnerability back in February, but Apple did not release their ‘fix’ until very recently. It is a major concern that Apple was this slow to respond.

Another major issue that you have missed is Apple’s inability to effectively work with outside sources such as Dr. Web, or their outright hostility to people that expose Exploits within their operating system (every OS has vulnerabilities). Apple needs to pull their collective heads out of the sand and be more open in their security measures if they are going to adapt to the new and rapidly changing threats.

Mark my words, there WILL be more and more threats to MAC OS ecosystem, and Apple will have to react better to future threats if they want to avoid damaging their pristine ‘security’ image.

“And now he wants Apple to come begging for his help?” By freely submitting all the security information gathered?

“Why is it that the ones who scream the loudest about security are also the ones also selling security software?” Because they are a company that understands security and develops security. My Grandma doesn’t own a computer and isn’t going to be the one touting computer security.

Taking advantage an exploit would be much more profitable than announcing it so Apple can patch it. The article wouldn’t exist if Apple took steps to work with the people that are trying to help and not trying to silence them. “When well-known Apple researcher Charlie Miller created a proof-of-concept app demonstrating a flaw in Apple’s security restrictions, the company responded by revoking his developer’s license.”

OSX is no more secure than windows. More people use windows so More targets. Windows users usually have some kind of protection now a days because they have been targeted for years while apple is just being targeted. You ask why everyone is making a big deal.

DUH! Because for years every time you see a new windows virus come out you have to have the apple idiots saying ” buy a make they don’t get malware/virus.

If apple had patched java this would not have happened. They do everything “ Different” than everyone else. More like they think that are….

Apple users tend to be fewer tech savvy so expect the sheep to fall in line until apple realizes that OSX is no more secure than anything else if you don’t maintain its security properly